Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Wed, 19 Dec 2012 22:47:03 -0700
From: Kurt Seifried <kseifried@...hat.com>
To: oss-security@...ts.openwall.com
CC: Vincent Danen <vdanen@...hat.com>
Subject: Re: CVE request: information disclosure flaw in php-ZendFramework
 (ZF2012-05)

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 12/19/2012 09:46 PM, Vincent Danen wrote:
> There doesn't seem to be a CVE for this issue.  Could one be
> assigned? Thanks.
> 
> 
> A vulnerability was reported in Zend Framework versions prior to
> 1.11.15 and 1.12.1, which can be exploited to disclose certain
> sensitive information.  This flaw is caused due to an error in the
> "Zend_Feed_Rss" and "Zend_Feed_Atom" classes of the "Zend_Feed"
> component, when processing XML data.  It can be used to disclose
> the contents of certain local files by sending specially crafted
> XML data including external entity references.
> 
> 
> References: http://framework.zend.com/security/advisory/ZF2012-05 
> https://bugzilla.redhat.com/show_bug.cgi?id=889037 
> http://secunia.com/advisories/51583

Please use CVE-2012-5657 for this issue.

- -- 
Kurt Seifried Red Hat Security Response Team (SRT)
PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iQIcBAEBAgAGBQJQ0qZXAAoJEBYNRVNeJnmTXk8P/i/sKjbl2p3nuN3WCHzOEWDR
SZqCD9CNdlXnX1UHv2aox9itN+ClnDzDLMmp6pR7R/IWoJqJEb4exS/34WJT7yz5
T8uLV7HfHhT/787ZVj0eKfQ4bidYgwEbXKdTjKKIJMj+w7gHGyXzdg1pXTLFdFz5
pZQ3/Rjbkkvnz4FXpt/Sa/xgiq8HlfEeBxhxX5pcDkRq2JB3sOy7zLE9Gvi+81h+
/K2SncIO90m3EmKr7EOhRDwLSwoCUIonQ4qM6INSYqvzOpoX+o6S8nxymE9xHViI
96oppBkBv9RlqQOOCIBnbM72KnYx1ok2k0VqRX42XMQrXfVIrmNeWb9b0KfkKYFS
z77mnVgprE0+4Zud/JKFA/BKs3kHXlc6GSe0vFZDJMZ8kiArH+Fjb/KYCuzytYXX
Pw4k3A9nxbyRfA8h7QDjxdLPlbWMVbJ26DwjWxJRs2EV2SK+UvCz7iaI/1GJGQDU
ZsrNV9OvhBWLb/JJTSWm47fTahlCrbubVq8KYAhVgWAjqnl/EsL7b6NQud6ScJwV
SknaDRy/jWEpXl2nvn2aQnRHyPntLPbi7CIExSmd13EgppSKUkxL/lktW3IPoFz/
r37RBhbsjgGFDZXSrhS41dBqiaGpwUCpwSEJPt3kOPzRSU3E7c93c8fsVA+7+xFv
2WZGV1gt4tJiyvKyYljK
=yxVf
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ